Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Security

Wise Owl Legal takes many precautions to safe-guard the security of your data stored in an Appliance. We treat your data like gold and try to go beyond current industry standards (where possible) to ensure your data does not fall into unauthorised hands.

However, it is important to note that we cannot give guarantees regarding data security. While Wise Owl Legal has implemented a variety of security safeguards, the nature of IT security is such that just one slip-up by a programmer, designer, or end user may result in data being disclosed to unauthorised persons. That is, Wise Owl must get security right every time, 100%, without fail; a malicious attacker only needs to slip in once to access data.

Why So Much Security?

Users and administrators of other legal software packages may by surprised by the amount of time and effort Wise Owl Legal has put into security. However, we believe the integrity and secrecy of the data stored within Wise Owl Legal Appliances is of paramount importance. There are have been a number of high profile devices and websites compromised and sensitive data disclosed in the past few years, including personal details (with credit card numbers), passwords, public infrastructure (think power plants or heavy industry), media (US media companies have been experiencing attacks from Chinese government agencies) and the notorious WikiLeaks. We do not want Wise Owl Legal to be added to this list.

Malicious attackers are cunning, incredibly patient and may be highly funded. They are interested in a variety of data typically stored in Wise Owl Legal Appliances such as personal contact details, personal history contained in matters and documents, passwords and financial records. This information can be traded in underground black markets, or may simply be posted publicly as a kind of trophy or badge among other hackers. Given enough time, resources and sufficient motive (which may not always be strictly financial), a malicious hacker stands a real possibility of stealing data from a Wise Owl Legal Appliance.

Humans are notoriously bad at keeping secrets, choosing appropriate passwords and opening obviously dodgy emails. The human factor is one of the most common ways passwords are stolen these days (using emails and websites designed to look legitimate, but are actually run by the hacker). And once an attacker knows a password, they can access a user's account and take whatever that user has access to. 

Finally, there is the tried and true approach of break-and-enter. A Wise Owl Legal Appliance is small, easily transportable, and could easily be stolen by malicious attacker if they thought it brought enough benefit .

 

Wise Owl Legal has taken steps in all the above areas to prevent data being stolen.

Online vs Offline Appliances

Appliances are configured in either Online or Offline mode. When in Offline mode, the Appliance is only accessible from a local network (usually your office) and denies access to any attempt to connect from the Internet. Online mode allows connections from any Internet address, but must implement stricter login policies.

If your Appliance is kept in our data centre and you access it remotely, your Appliance is in Online mode.

Additional Security for Online Appliances

 

SSL Certificates and HTTPS

Whole Appliance Encryption

 

Highly Sensitive Data Encrypted

 

 

Passwords

Secret passwords are the main defence any website or appliance has to ensure only authorised users get access to it. Unfortunately, a bad password is only slightly better than no password (and provides a false sense of security).

Admin Accounts

Wise Owl Legal configures every Appliance with unique, strong administrator passwords during initial configuration (unlike many appliance like devices on the Internet). And remote support accounts must obey the same strict security rules that any other user working outside the office must obey. The underlying operating system follows established best practises and has a unique, strong admin password. They are no open back-doors for attackers to enter by. 

Password Storage

Passwords are stored in a form which cannot be read unless you know the password itself. Additionally, to make discovery more difficult if an attacker were to gain access to the encrypted passwords, Appliances apply the encryption routine many thousands of time. Technically, Appliances use the PBKDF2 SHA1 hash algorithm with a minimum of 5000 iterations (more on higher end Appliances).

Poor Password Choice

Poorly chosen passwords are the number one cause of accounts being compromised (with re-using passwords between multiple accounts a close second). Rather than imposing complicated rules of upper case, lower case, number, length and so forth. We maintain a large list of black listed passwords (there are several million bad passwords on the list). This list is derived from a variety of sources including dictionaries and lists of names, but most importantly, we include long lists of leaked passwords from sites such as LinkedIn and RockYou. Finally, we use the same tools password hackers do to verify passwords are not easily guessable. 

 

 

 

Restricted User Access

 

  • No labels